shoeper
commented
6 years ago I also recommend to add additional tags.
E.g. 6.3 which always reflects the latest revision of the minor release 6.3 while e.g. 6.3.2 reflects a specific revision. There could also be a 6 tag reflecting the latest release of version 6 but I that has a lower priority. All those versions need to be rebuild whenever a lower layer has been updated. You also need to make sure that the build server uses the most recent version of each layer. It looks like this is not the case, currently.
darkdragon-001
The base image phusion/baseimage:0.10.1 is older than ubuntu:16.04, thus the most recent security patches are missing. I'm not sure if there is any advantage in depending on the phusion base image.
I think it would be better to directly depend on ubuntu:16.04 and upgrade the image each time the ubuntu image is updates as well. I also think it would make sense to have a shared base image for ce and pro and to add version specific steps directly in the ce / pro image. When ubuntu is updated the base image and all versions you want to support for a longer time should be rebuild, to have the latest security fixes included.
While I could find 38 security issues in the latest ubuntu:16.04 using clair-scanner, I found 81 in the latest version of phusion/baseimage:0.10.1 and 214 in the latest version of seafileltd/seafile. Running apt-get update && apt-get dist-upgrade -y in seafileltd/seafile, committing the changes and scanning the resulting image led to an image with 66 vulnerabilities.
Be a bit careful with the numbers as not all vulnerabilities might be an issue in practice. I want to say that with the current method vulnerabilities are not being patched and it looks like seafile is even using an outdated phusion/baseimage image (possibly not pulled on each build).